Authenticating method between a smart card and a terminal

ABSTRACT

The invention concerns a method enabling a smart card and a terminal whereto it is connected to authenticate each other. The invention is characterized in that at the end of each transaction the terminal calculates, from data representing the card at said transaction end, a secret code CSC 2  which is recorded in a zone ZCSC with unprotected access in the card memory and an authentication certificate CA 2  which is recorded in a zone ZCA with protected access of the memory by presenting a secret code CSC 2 . At the next transaction, the terminal calculates, by means of data contained in the card, a secret code and an authentication certificate which are compared to those previously recorded to perform authentication. The invention is applicable to smart cards.

This disclosure is based upon, and claims priority from French Application No. 98/14224, filed on Nov. 12, 1998 and International Application No. PCT/FR99/02692, filed Nov. 4, 1999, which was published on May 25, 2000 in a language other than English, the contents of which are incorporated herein by reference.

BACKGROUND OF THE INVENTION

The invention concerns memory chip cards and the terminals to which they are capable of being connected from time to time and, more particularly, a method which enables the memory chip card and the terminal to authenticate one another.

Memory chip cards, on account of their not having a microprocessor, cannot use an authentication algorithm which involves calculations. However, certain memory chip cards use an algorithm in hard-wired form which allows the so-called “active” authentication of the card by the terminal but not the reverse authentication of the terminal by the card. Owing to their low cost, memory chip cards are used a great deal in many applications such as loyalty cards, access control, charge card payments, etc. However, owing to the lack of authentication, their security in use is vulnerable so that microprocessor cards are sometimes preferred to them for certain applications. But these microprocessor cards have a distinctly higher cost, which becomes increasingly higher as the authentication algorithm becomes more developed, which leads to them being ruled out for inexpensive applications. Also, the aim of the present invention is to obtain security in use of memory chip cards.

This aim is achieved by using an authentication method in which all the algorithmic calculations are performed by the terminal to which the memory chip card is connected.

Furthermore, the operations relating to authentication are performed before the start of a transaction proper and after the end of this transaction with a view to the authentication at the start of the following transaction.

SUMMARY OF THE INVENTION

The invention therefore concerns an authenticating method between a memory chip card having at least one counter and a terminal, characterised in that it comprises the following steps consisting of:

(a) inserting the memory chip card into the terminal,

(b) calculating, in the terminal, a secret code CSC₁, according to a cryptographic function F of a number of variables comprising at least a code CSN identifying the memory chip card and the value of said counter,

(c) authenticating the terminal by the card when the calculated secret code CSC₁ is identical to a code CSC₀ recorded in the memory at the end of the previous authentication according to the operation (f) below,

(d) carrying out the planned transaction and modifying the value of said counter,

(e) calculating, in the terminal, a new secret code CSC₂ according to the cryptographic function F of the code CSN identifying the memory chip card and the new value of said counter,

(f) updating the memory chip card for the next transaction by recording, in the memory, the new secret code CSC₂ calculated by the operation (e).

In order to obtain authentication of the card by the terminal, the method comprises the following supplementary steps between the steps (c) and (d) consisting of:

(x) calculating, in the terminal, an authentication certificate CA₁ according to a cryptographic function G of a number of variables comprising at least the code CSN identifying the memory chip card and the value of said counter,

(y) authenticating the card by the terminal when the calculated authentication certificate CA₁ is identical to a certificate CA₀ calculated and recorded in the card at the end of the previous transaction according to the steps (e′) and (f′) below:

-   -   in that the step (e) is supplemented by the following step         consisting of:

(e′) calculating, in the terminal, a new authentication certificate CA₂ according to the cryptographic function G,

-   -   and in that the step (f) is supplemented by the following step         consisting of:

(f′) updating the memory chip card for the next transaction by recording, in the memory, the new authentication certificate CA₂ calculated according to the step (e′).

BRIEF DESCRIPTION OF THE DRAWINGS

Other characteristics and advantages, of the present invention will emerge from a reading of the following description of a particular embodiment, said description being given with reference to the accompanying drawing in which:

FIG. 1 is a simplified diagram of a memory chip card, and

FIG. 2 is a chart showing the operations performed between the terminal and the memory chip card during a transaction.

DETAILED DESCRIPTION

The method of the invention applies (FIG. 1) to a memory chip card CM which of course comprises a memory M but also a so-called transaction counter CT which counts the transactions performed between the card CM and a terminal TE to which the card is connected by insertion.

The memory chip card CM can also comprise a second so-called authentication counter CE which counts the authentication requests, these authentication requests possibly occurring at any time during a transaction and independently thereof.

These two counters CE and CT can form part of the memory M according to known devices.

In addition, the memory M of the card comprises a first area with unprotected read access in which there is recorded, for example the serial number CSN of the card in a part ZCSN, and a second area with protected access for the rest of the memory, this second area having parts which are allocated to the recording of particular values such as an Authentication Certificate CA in the part ZCA and a balance BAL and its authentication certificate CBAL in the part ZBAL.

A third area ZCSC is reserved for the recording of a secret code CSC and its access for recording is subject to presentation of the secret code CSC.

The memory M is addressed by an addressing circuit ADR and the two-way transmission of signals between the terminal TE and the card CM takes place by means of an interface circuit INT.

Furthermore, the card comprises a comparator CP which compares the code CSC read from the part ZCSC with a code supplied by the terminal TE, the result of the comparison allowing or not allowing the addressing of the protected area of the memory M.

The method according to the invention will be described within the context of a mutual authentication between the card and the terminal using the transaction counter CT alone and so-called one-way cryptographic functions but the method of the invention can also apply to authentication of the terminal by the card alone, and to simultaneous use of the two counters CE and CT and cryptographic functions other than one-way ones. The various operations, notably cryptographic operations, can be carried out either in the terminal TE, or in a security module, or even in a remote device.

Preferably, the mutual authentication method according to the invention comprises the following steps consisting of:

(m) inserting the card CM into the terminal TE, this step possibly including the presentation of a personal code PIN of the card user,

(n) calculating, in the terminal TE, a session key Ks₁ by:

(n₁) reading the serial number CSN of the card CM,

(n₂) reading the content CTC₁ of the transaction counter CT of the card CM, and

(n₃) calculating a session key Ks₁ according to a one-way cryptographic function F_(ks) such that: Ks₁=F_(ks)(K_(m), CSN, CTC₁)

-   -   K_(m) being a parent key recorded in the terminal TE,     -   F_(ks) being for example a function of the hashing type,

(o) calculating, in the terminal TE, a secret code CSC₁ of the card using a cryptographic function F such that: CSC₁=F(Ks₁),

(p) authenticating the terminal TE by the card CM by:

-   -   (p₁) transmitting the secret code CSC₁ to the card CM,     -   (p₂) comparing, in the comparator CP, this secret code CSC₁ with         a secret code CSC₀ recorded in the card CM at the end of the         previous transaction with the card, and     -   (p₃) authorizing the remainder of the operations if the         comparison indicates the identity CSC₀=CSC₁ or refusing same in         the contrary case;

(q) calculating, in the terminal TE, an Authentication Certificate CA₁ such that: CA₁=G(Ks₁)

-   -   G being a cryptographic function, and

(r) authenticating the card CM by the terminal TE by:

-   -   (r₁) reading the content CA₀ of the area ZCA of the memory of         the card CM,     -   (r₂) transmitting, to the terminal TE, the content CA₀ of this         protected area ZCA which corresponds to an Authentication         Certificate CA₀ calculated at the end of the previous         transaction,     -   (r₃) comparing, in the terminal TE, the calculated         Authentication Certificate CA₁ with the certificate CA₀, and     -   (r₄) authorizing the remainder of the operations if the         comparison indicates the identity CA₁=CA₀;

(s) carrying out the transaction, this transaction possibly consisting for example of updating a memory area ZBAL indicating the state of the credit or balance BAL remaining in the card CM by:

-   -   (s₁) reading, from the area ZBAL, the value BAL₀ of the balance         resulting from the previous transaction and the corresponding         certificate CBAL₀,     -   (s₂) verifying that the certificate CBAL₀ correctly corresponds         to the result of the cryptographic function such that:         CBAL₀=H(K_(t), BAL₀, CSN, CTC₁),     -   K_(t) being a transaction key,     -   (s₃) incrementing the transaction counter to the value         (CTC₁+1)=CTC₂     -   (s₄) recording the new balance BAL₁ in the area ZBAL,     -   (s₅) calculating a Certificate CBAL₁ for the new balance BAL1         such that:         CBAL₁=H(K_(t), BAL₁, CSN, CTC₂), and     -   (s₆) recording CBAL₁ in the area ZBAL;

(t) updating the card CM for the next transaction with a new secret code CSC₂ and a new certificate CA₂, by

-   -   (t₁) calculating in the terminal TE:     -   the future session key KB₂ such that;         Ks₂=F(K_(m), CSN, CTC₂)     -   the future secret code CSC₂ such that:         CSC₂=P(Ks₂),     -   the future authentication certificate CA₂ such that:         CA₂=G(Ks₂),     -   (t₂) recording the secret code CSC₂ in the memory M of the card         CM in the protected area and the authentication certificate CA₂         in the protected area ZCA.

The invention has been described with a particular embodiment in which the transaction is an operation on the balance value of the card; however, the invention applies to any other transaction according to the applications provided for the card under consideration.

In this particular example, the transaction ends with an incrementing of the transaction counter CT to a value CTC₂ which is usually equal to (CTC₁+1). However, this value of CTC₂ can be different from (CTC₁+1) and be equal, for example, to (CTC₁+3).

This transaction counter must be incremented or decremented at each transaction even if the operation leads to the balance not being changed; in this case, it is necessary to perform the transaction by re-recording the unchanged balance but the certificate CBAL₁ will be different since the transaction counter will have been incremented. The same will apply for the new secret code CSC₂ and the certificate CA₂

The variables of the functions F, G and F_(ks) which have been adopted in the example are the parent key, the serial number CSN and the value CTC of the transaction counter. However, additional variables can be used such as the personal code PIN of the card user, this code being entered into the terminal after insertion of the card.

The invention has been described within the context of a card/terminal mutual authentication but it applies more generally first to an authentication of the terminal by the card, this first authentication possibly being followed or not followed by an authentication of the card by the terminal, the set of these two authentications making a mutual authentication.

The example described uses cryptographic functions F, G and F_(ks) using variables such as a parent key K_(m), a session key K_(s) and a transaction key K_(t), but such keys are not necessary for implementing the invention.

The value of the authentication counter CE is preferably used for calculating the secret code CSN while the value of the transaction counter CT is preferably used for calculating the authentication certificate CA. 

1. An authenticating method between a memory chip card having at least one counter and a terminal, comprising the following steps: (a) inserting the memory chip card into the terminal, (b) calculating, in the terminal, a secret code CSC₁, according to a cryptographic function F of a number of variables comprising at least a code CSN identifying the memory chip card and the value of said counter, (c) authenticating the terminal by the card when the calculated secret code CSC₁ is identical to a code CSC₀ recorded in a memory of the card at the end of a previous authentication operation, (d) carrying out a desired transaction and modifying the value of said counter, (e) calculating, in the terminal, a new secret code CSC₂ according to the cryptographic function F of the code CSN identifying the memory chip card and the new value of said counter, (f) updating the memory chip card for the next transaction by recording, in said memory, the new secret code CSC₂ calculated by the operation (e).
 2. A method according to claim 1, further including the following steps between the steps (c) and (d): (x) calculating, in the terminal, an authentication certificate CA₁ according to a cryptographic function G of a number of variables comprising at least the code CSN identifying the memory chip card and the value of the counter, (y) authenticating the card by the terminal when the calculated authentication certificate CA₁ is identical to a certificate CA₀ calculated and recorded at the end of the previous transaction, and wherein step (e) is supplemented by the step of (e′) calculating, in the terminal, a new authentication certificate CA₂ according to the cryptographic function G of the code CSN identifying the memory chip card and the new value of said counter, and wherein step (f) is supplemented by the step of (f′) updating the memory chip card for the next transaction by recording, in the memory, the new authentication certificate CA₂ calculated according to the step (e′).
 3. A method according to claim 2 wherein step (b) comprises the following steps: first calculating, in the terminal, a session key K_(s1) according to a cryptographic function F_(ks) of a number of variables comprising at least a parent key K_(m) known by the terminal, the code CSN identifying the memory chip card and the value of said counter, next calculating, in the terminal, the secret code CSC₁ according to the cryptographic function F of the session key K_(s1), and wherein step (e) comprises: first calculating, in the terminal, a new session key K_(s2) according to the cryptographic function F_(ks) with the new value of said counter, next calculating, in the terminal, the new secret code CSC₂ according to the cryptographic function F of the new session key K_(s2).
 4. A method according to claim 3 wherein step (e′) includes the step of calculating the new authentication certificate CA₂ according to the cryptographic function G of the new session key K_(s2).
 5. A method according to claim 1 wherein the memory chip card comprises two counters, one counting the authentications and the other counting payment transactions, and wherein the variables of the cryptographic functions comprise the values of said counters.
 6. A method according to claim 1 wherein the cryptographic functions are one-way functions.
 7. A method according to claim 6, wherein the cryptographic functions are “hashing” functions.
 8. A method according to claim 3, wherein step (b) comprises the following steps: (b₁) reading the serial number CSN of the card, (b₂) reading the content of the counter, and (b₃) calculating the session key according to a cryptographic function F_(ks) such that: Ks₁=F_(ks) (K_(m), CSN, CTC₁).
 9. A method according to claim 1, wherein step (c) comprises the following steps: (c₁) transmitting the secret code CSC₁ to the card, (c₂) comparing, in the card, this secret code CSC₁ with a secret code CSC₀ recorded in the card at the end of the previous transaction with the card, and (C₃) authorizing the remainder of the operations if the comparison indicates the identity CSC₀=CSC, or refusing same if CSC₀ is not equal to CSC₁.
 10. A method according to claim 2, wherein step (y) comprises the following steps: (y₁) reading the content CA₀ of a designated area of the memory of the card CM, (y₂) transmitting, to the terminal, the content CA₀ of said area which corresponds to an Authentication Certificate CA₀ calculated at the end of the previous transaction, (Y₃) comparing, in the terminal, the calculated Authentication Certificate CA₁ with the certificate CA₀, and (y₄) authorizing the remainder of the operations if the comparison indicates the identify CA₁=CA₀.
 11. A method according to claim 1, wherein step (d) comprises the following steps: (d₁) reading, from an area of the memory, the value BAL₀ of a balance resulting from the previous transaction and a corresponding certificate CBAL₀, and (d₂) verifying that the certificate CBAL₀ correctly corresponds to the result of the cryptographic function such that: CBAL₀=H(K_(t), BAL₀, CSN, CTC₁), K_(t) being a transaction key, (d₃) incrementing the transaction counter to the value (CTC₁+1)=CTC₂. (d₄) recording the new balance BAL₁ in said area, (d₅) calculating a Certificate CBAL₁ for the new balance BAL₁ such that: CBAL₁=H(K_(t), BAL₁, CSN, CTC₂), and (d₆) recording CBAL₁ in said area.
 12. A method according to claim 1 wherein step (a) also comprises a step of entering a personal code of the user.
 13. A method according to claim 3, wherein in step (b), one of the variables used for calculating the session key Ks₁ is a personal code PIN of the user.
 14. A method according to claim 1 wherein step (b) comprises the following steps: first calculating, in the terminal, a session key K_(s1) according to a cryptographic function F_(ks) of a number of variables comprising at least a parent key K_(m) known by the terminal, the code CSN identifying the memory chip card and the value of said counter, next calculating, in the terminal, the secret code CSC₁ according to the cryptographic function F of the session key K_(s1), and wherein step (e) comprises: first calculating, in the terminal, a new session key K_(s2) according to the cryptographic function F_(ks) with the new value of said counter, next calculating, in the terminal, the new secret code CSC₂ according to the cryptographic function F of the new session key K_(s2).
 15. A method according to claim 14, wherein step (b) comprises the following steps: (b₁) reading the serial number CSN of the card, (b₂) reading the content of the counter, and (b₃) calculating the session key according to a cryptographic function F_(ks) such that: Ks₁=F_(ks)(K_(m), CSN, CTC₁). 